CVE-2023-36556 – This CVE describes an incorrect authorization v... (How to Fix)

Q: What is the severity of CVE-2023-36556?

CVE-2023-36556 has a CVSS score of 8.8 (HIGH). This CVE describes an incorrect authorization vulnerability in FortiMail webmail that allows authenticated attackers to log into other users' accounts within the same web domain via crafted HTTP/HTTPS requests. The vulnerability affects FortiMail webmail versions 7.2.0-7.2.2, 7.0.0-7.0.5, and versions below 6.4.7. Attackers can potentially access sensitive email data and impersonate legitimate users.

📋 TL;DR

This CVE describes an incorrect authorization vulnerability in FortiMail webmail that allows authenticated attackers to log into other users' accounts within the same web domain via crafted HTTP/HTTPS requests. The vulnerability affects FortiMail webmail versions 7.2.0-7.2.2, 7.0.0-7.0.5, and versions below 6.4.7. Attackers can potentially access sensitive email data and impersonate legitimate users.

💻 Affected Systems

Products:

FortiMail webmail

Versions: 7.2.0 through 7.2.2, 7.0.0 through 7.0.5, and versions below 6.4.7

Operating Systems: Fortinet's proprietary OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects webmail functionality. Requires attacker to have valid credentials for at least one account in the same web domain.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user accounts within the same web domain, leading to data exfiltration, privilege escalation, and unauthorized access to sensitive communications.

🟠

Likely Case

Targeted account takeover allowing attackers to read emails, send messages as legitimate users, and potentially access other integrated systems.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring for unusual login patterns.

🌐 Internet-Facing: HIGH - Webmail interfaces are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges and access other users' accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but exploitation appears straightforward based on vulnerability description. No public exploit code identified at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.3, 7.0.6, 6.4.7 and above

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-202

Restart Required: Yes

Instructions:

1. Download appropriate patch version from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via FortiMail web interface or CLI. 4. Reboot system. 5. Verify version update and functionality.

🔧 Temporary Workarounds

Restrict webmail access

all

Limit webmail access to trusted networks using firewall rules or VPN requirements

Enable multi-factor authentication

all

Implement MFA to add additional protection layer even if account takeover occurs

🧯 If You Can't Patch

Implement strict network segmentation to isolate FortiMail systems from untrusted networks
Enable detailed logging and monitoring for unusual login patterns or account access

🔍 How to Verify

Check if Vulnerable:

Check FortiMail version via web interface (System > Status) or CLI command 'get system status'

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 7.2.3+, 7.0.6+, or 6.4.7+ after patch application

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same source IP to different user accounts
Unusual login times or locations for specific users
Failed authorization attempts followed by successful logins to different accounts

Network Indicators:

HTTP/HTTPS requests with manipulated session or authentication parameters
Unusual patterns of account switching within short timeframes

SIEM Query:

source="fortimail" AND (event_type="login" OR event_type="authentication") | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2023-36556

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-23-202 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-23-202 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36556, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

Fortimail by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict webmail access

Enable multi-factor authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities